Thursday morning I hopped a flight to San Jose. The plane I was on boasted WiFi available on board. (more and more prevalent these days) I figured I'd take a look. Upon booting my laptop I found the available open network to join. It was $4.95 for the flight and I was less than keen to have to pay for WiFi so I declined. However, as I saw more and more people around me getting online, I wondered what the environment looked like in our shared metal tube.
I started up wireshark with the AirPcap I had with me (yeah I fly with it). What I found was astonishing. The wireless, even those who had paid was wide open. No security what-so-ever. Now obviously the pay site was an https site, but after that there was no security except what was provided on the particular site they were surfing.
Everything was in plain text. The gentleman in front of me who was surfing FoxNews. I saw the article URL he was looking at. He changed to political blogs on CNN, I saw that too. Then he accessed his company's VPN. I saw the dns address for that too.
I decided to hop on their customer service page and see if I could find an explanation for an unsecured network. *side note since someone will care: it was a Meru network. In looking at the "here's how you connect page" and the FAQs I found nothing stating anything about security. There was however a link to chat with a customer service representative. I decided to take that opportunity.
When I posed the security question to the CS rep, she very nicely assured me that all communications are encrypted. I then explained that I couldn't see the backhaul to the ground, but that I was looking at packets of the traffic within the plane and it was without any measure of security. After a couple minutes of what I can only assume was the stunned silence of "this question isn't part of my call workflow," I received another equally shocking response. "I'm sorry for the error sir. There must be something wrong with your plane."
Now ignoring the fact that she mentioned something wrong with the plane and not the setup itself, I could have told her what the problem was: a design problem. Now you may be thinking "then Brad, why isn't this in the DP forum?" Well my answer is simple, that's not the discussion I want to start. We all know that security no matter what the traffic is rather essential to our business.
The discussion I want to start is a question of corporate responsibility to the people they service. Do you believe you have an expectation to privacy of your data when using these "public" WiFi networks. Now I would argue that when you go to your local coffee shop and it's free WiFi you don't have any expectation to privacy when in this free for all environment.
On a network I have to pay for however, I would expect that there is a rather simple setup that could be engineered to allow for my traffic to be at least somewhat secure. And said setup would be relatively easy to implement.
So at what point does a company who offers wireless access in an environment that they wholly control have a responsibility to secure those transactions?
Good post Brad. This raises multiple issues. The vast ( and by that I mean 99.99 to infinity percent ) of the travelling population have absolutely no idea about any of this. Spoke to a few frequent flyers about this very issue last year. "Of course it's secure !!" they all replied. "Do you think XYZ airline would allow anybody to see what going on around them ?". "They're not flying Starbucks you know !!"
Them dollars needs to keep flowing in. Can you imagine the effects if each passenger was given a "warning sheet" stating that certain information could be made available to persons using the appropriate analysis tools ?
Bob and Suzie heading to Orlando with the kids probably couldn't care less ( especially after a few $10 maragaritas ). Simply surfing the net and looking at the football scores. But what of Jim, VP of Sales for ABC ? I'm sure he'd have second thoughts.
Loved the bit about the "broken plane". God bless tech support. Had some awful problems after installing Google Chrome last week. Had some free tech support remaining. Was greeted with "Do a complete Windows re-install sir !!" as a first option. Got on a friend's computer and found some great little obscure forum that solved the problem when even Google was baffled.
Aye, away with ye laddie and your scripts and lack of common sense......
I think we'd be better off actually talking to a computer in some cases.
I think a free hotspot should:
* have "no encryption" policy to ensure the maximum compatibility with all devices.
* sharing a WEP/WPA2 PSK key with everyone doesn't make your network more secure. Attacker needs more time to decrypt traffic using the key. EAP authentication (and different keys per user) is too complex for some mobiles.
* As a simple passenger I am not interested if you find out that I am reading ccn.com.
* If a staff need security, then enterprise IT should have provide him VPN (cisco, checkpoint, etc) or use encrypted mail services (outlook anywhere etc) using certificates.
* In my opinion, users should avoid all username/password inputs unless its totally necessary (when connected to public hotspots). If possible use firefox "Private browsing".
Ruckess Wireless offers a dynamic PSK as a feature of many of their APs.
http://www.ruckuswireless.com/technology/smartsec - look for dynamic PSK flash video.
I have not set one up, and there may be a few more details to configure, but it looks pretty straightforward.
Maybe someone who has set this dynamic PSK feature up (for guest access to a hotel, for example) can offer some more details.
Three words: Virtual Private Network. I expect zero privacy on a Wi-Fi hotspot until I have my VPN up and running. Any proprietary-PSK approach is trying to solve a problem that already has a much better solution. Nothing less than AES/TKIP with 802.1X is sufficient, and even with that, I wouldn't automatically trust the wired network behind the Wi-Fi.
So, fire up the OpenVPN/IPSec/SSL VPN and surf away!
...but have we ruled out that the plane wasn't in fact broken? :D
I agree with amprantino on pretty much everything there. If it's public Wi-Fi, it's to be treated as such. If you have a coprorate laptop you want to do business on, it should have a VPN on for that purpose.
The problem is average users just don't know/care about the inner workings of this stuff.
This issue of encryption at free hotspots has got me thinking now.... how could we make it encrypted?
The only thing that popped into my head (and this is way out there, I know), is a way to secure web traffic. The AP/controller could do a proxy from HTTP to HTTPS. What I mean is, the user would connect to an HTTP site, the controller would redirect and destination NAT it to HTTPS, with the HTTPS part being between the user and the controller. The controller would then do the normal HTTP to whatever web server, and return it to the user as HTTPS.
That's just for HTTP anyway, so not a real solution... It was just a random thought.
Other protocols like MSN and Skype are already encrypted. I know my email is encrypted too, but also know that many aren't. Once you fire Windows up, there is all the SMB crap too that floats out. As I said, it's not really a solution, just an idea.
SpiceBoy: If the data leaves your laptop as HTTP (unencrypted) then everyone can sniff it on the air. The problem isnt from the controller to the destination site; usually you assume that "cable" data traffic is secure.
However, assuming the "cable" taffic, behind the AP, as secure is not always a good idea. But its a huge topic, irrelevant with this forum & topic (i think)....
Your suggestion is a "Man in the Middle" scenario that "advanced" users are afraid. You ask a httpS site, someone send you back a fake (trusted or you press "accept") certificate, and then he can read all your data in the middle.
The above is a common practise for enterpise proxies: they use the above technique to check encrypted traffic
Not quite what I meant. The traffic from laptop would be HTTPS, and HTTP from controller onwards. It would have been all HTTP anyway. Anyway, can't see anyone bothering to implement it, was just a thought. It would only have been to prevent sniffing while it's in the air.
Not all site supports full HTTPS ... Its consuming more CPU and resources...